Using AES CTR mode with Java / Clojure

From:
andrew cooke <andrew@...>

Date:
Sun, 27 May 2012 08:49:45 -0400

I needed to generate a sequence of "random" bytes and, for various reasons I
won't get into here, decided that running AES in CTR mode would be the best
solution.
Background:
https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29
The general procedure is described in detail in RFC2686, along with some test
vectors (thanks!) - http://www.ietf.org/rfc/rfc3686.txt - but it wasn't clear
to me how this mapped to the Java Cipher API.
It turns out that you need to do the following:
- create a cipher instance for AES/CTR/NoPadding
- create the CTRBLK as described in the RFC
- initialise the cipher with CTRBLK as the IV
- encoding blocks of zero bytes then returns the key stream
The two main sources fo confusion are:
- What the RFC calls the CTRBLK is what Java calls the IV (what RFC calls
the IV is the central 8 bytes of the Java IV).
- Java automatically increments CTRBLK on successive calls to update.
And I verified all this by testing against the 128-bit test vectors in the
RFC (that is the ONLY verification made - I have not looked at any source and
I am not an expert at this...).
Here is the equivalent Clojure code (cut+pasted from a more complete module
that I will be releasing soon - you can see the code at
https://github.com/andrewcooke/particl/blob/master/src/cl/parti/random.clj):
(ns cl.parti.random
(:use (cl.parti utils))
(:import javax.crypto.Cipher)
(:import javax.crypto.spec.SecretKeySpec)
(:import javax.crypto.spec.IvParameterSpec)
(:import java.security.MessageDigest))
;; Constants for AES in counter mode.
(def ^:private CIPHER "AES")
(def ^:private CIPHER_SPEC (str CIPHER "/CTR/NoPadding"))
(def ^:private BLOCK_SIZE 16)
(def ^:private NONCE_SIZE 4)
(def ^:private IV_SIZE 8)
(def ^:private CTR_SIZE 4)
(def ^:private KEY_SIZE 16)
(def ^:private ^{:doc "The hash used for nonce and IV."} HASH "SHA-1")
;; ## Basic counter mode operation
;;
;; The general approach follows
;; [RFC3686](http://www.faqs.org/rfcs/rfc3686.html), except that Java
;; handles the increment of the counter.
(def ^:private ^{:doc "An array of zeroes; used as the 'plaintext' since we
want to access the key stream."}
BLANK (byte-array BLOCK_SIZE (byte 0)))
(defn- stream-blocks
"Run the given cipher, generating a lazy stream of blocks. The underlying
Java code increments the counter after each loop, generating a lazy stream
of blocks."
[cipher]
(lazy-seq
(let [block (.update cipher BLANK)]
(cons block (stream-blocks cipher)))))
(defn- stream-bytes
"Convert a stream of blocks to a stream of bytes.
The first form re-calls with the head block and a zero offset.
The second form recurses through the available bytes in the block and
then re-calls with the remaining blocks."
([blocks] (stream-bytes (first blocks) 0 (rest blocks)))
([block i blocks]
(lazy-seq
(if (= i BLOCK_SIZE)
(stream-bytes blocks)
(cons (nth block i) (stream-bytes block (inc i) blocks))))))
(defn- init-ctrblk
"Create a counter block with CTR set to 1 (lsb)."
[nonce iv]
(byte-array
(for [i (range BLOCK_SIZE)]
(let [j (- i NONCE_SIZE)]
(cond
(< i NONCE_SIZE) (nth nonce i)
(< j IV_SIZE) (nth iv j)
(not= i (dec BLOCK_SIZE)) (byte 0)
:else (byte 1))))))
(defn stream-aes-ctr
"Generate a stream of bytes from the initial data, using AES in counter
mode.
This is tested against the three 128-bit test vectors in
[RFC3686](http://www.faqs.org/rfcs/rfc3686.html) - the bytes returned
match those expected for the key stream."
[key nonce iv]
(let [cipher (Cipher/getInstance CIPHER_SPEC)
key (SecretKeySpec. key CIPHER)
ctrblk (init-ctrblk nonce iv)]
(do (.init cipher Cipher/ENCRYPT_MODE key (IvParameterSpec. ctrblk))
(stream-bytes (stream-blocks cipher)))))
Andrew